Working with Roles in the Security Console
This topic describes the tasks associated with roles that you complete using the Security Console.
You can use the Security Console to perform a variety of tasks related to roles, including:
View the roles assigned to a user.
Identify users who have a specific role.
Copying existing roles.
Create duty, job, or abstract roles.
You must have the IT Security Manager job role to perform these tasks.
Viewing the Roles Assigned to a User
Open the Security Console.
On the Roles tab, search for and select the user.
Depending on the enterprise setting, either a table or a graphical representation of the user's role hierarchy appears. Switch to the graphical representation if necessary to see the user and any roles that the user inherits directly. User and role names appear on hover. To expand an inherited role:
Select the role and right-click.
Select Expand. Repeat these steps as required to move down the hierarchy.
Tip: Switch to the table to see the complete role hierarchy at once. You can export the details to Microsoft Excel from this view.
Identifying Users Who Have a Specific Role
On the Roles tab of the Security Console, search for and select the role.
Depending on the enterprise setting, either a table or a graphical representation of the role hierarchy appears. Switch to the graphical representation if it doesn't appear by default.
Set Expand Toward to Users.
Tip: Tip: Set the Expand Toward option to control the direction of the graph. You can move either up the hierarchy from the selected role (toward users) or down the hierarchy from the selected role (toward privileges).In the refreshed graph, user names appear on hover. Users may inherit roles either directly or indirectly from other roles. Expand a role to view its hierarchy.
In the Legend, click the Tabular View icon for the User icon. The table lists all users who have the role. You can export this information to Microsoft Excel.
Reviewing Role Hierarchies
On the Security Console you can review the role hierarchy of a job role, an abstract role, or a duty role.
On the Roles tab of the Security Console, ensure that Expand Toward is set to Privileges.
Search for and select the role. Depending on the enterprise setting, either a table or a graphical representation of the role appears.
If the table doesn't appear by default, click the View as Table icon. The table lists every role inherited either directly or indirectly by the selected role. Set Show to Privileges to switch from roles to privileges.
Tip: Enter text in a column search field and press Enter to show only those roles or privileges that contain the specified text
Click Export to Excel to export the current table data to Microsoft Excel.
Comparing Roles
You can compare any two roles to see the structural differences between them. As you compare roles, you can also add function and data security policies existing in the first role to the second role, providing that the second role is not a predefined role.
For example, assume you have copied a role and edited the copy. You then upgrade to a new release. You can compare your edited role from the earlier release with the role as shipped in the later release. You may then decide whether to incorporate upgrade changes into your edited role. If the changes consist of new function or data security policies, you can upgrade your edited role by adding the new policies to it.
Select the Roles tab in the Security Console.
Do any of the following:
Click the Compare Roles button.
Create a visualization graph, right-click one of its roles, and select the Compare Roles option.
Generate a list of roles in the Search Results column of the Roles page. Select one of them, and click its menu icon. In the menu, select Compare Roles.
Select roles for comparison:
If you began by clicking the Compare Roles button, select roles in both First Role and Second Role fields.
If you began by selecting a role in a visualization graph or the Search Results column, the First Role field displays the name of the role you selected. Select another role in the Second Role field.
For either field, click the search icon, enter text, and select from a list of roles whose names contain that text.
Select two roles for comparison.
Use the Filter Criteria field to filter for any combination of these artifacts in the two roles:
Function security policies
Data security policies
Inherited roles
Use the Show field to determine whether the comparison returns:
All artifacts existing in each role
Those that exist only in one role, or only in the other role
Those that exist only in both roles
Click the Compare button.
You can export the results of a comparison to a spreadsheet. Select the Export to Excel option.
After you create the initial comparison, you can change the filter and show options. When you do, a new comparison is generated automatically.
Adding Policies to and Modifying Delivered Roles
For Oracle Public Sector Licensing and Permitting, you should not modify the functional or data security policies of delivered roles. The Oracle Public Sector Licensing and Permitting system is REST-based, and, as such, the functional and data security policies should not be separated from the roles. Doing so risks the REST layer becoming out of sync with the modified role, causing unintentional security behavior.
The intent of the Oracle Oracle Permitting and Licensing security implementation approach is to require as little configuring and customizing as possible.
The recommendations for working with Oracle Permitting and Licensing are:
Assign users to the closest job role that matches their intended usage of the system. Doing so is the simplest, most efficient, and safest approach.
If a user has a dual role, multiple job roles can be assigned to the same user.
If you must modify a delivered role, consider cloning the delivered role, and adding or removing duty roles or aggregate roles on the Role Hierarchy tab.
The Function Security Policies tab and Data Security Policies tab should never be modified.
Custom Role Considerations
In many cases, an efficient method of creating a role is to copy an existing role, then edit the copy to meet your requirements. Typically, you would create a role from scratch if no existing role is similar to the role you want to create.
To create a role from scratch, select the Roles tab in the Security Console, then click the Create Role button. Enter values in a series of role-creation pages, selecting Next or Back to navigate among them.
Providing Basic Information
On a Basic Information page:
In the Role Name field, create a display name, for example North America Accounts Receivable Specialist.
In the Role Code field, create an internal name for the role, such as AR_NA_ACCOUNTS_RECEIVABLE_SPECIALIST_JOB.
Note: Do not use "ORA_" as the beginning of a role code. This prefix is reserved for roles predefined by Oracle. You cannot edit a role with the ORA_ prefix.In the Role Category field, select a tag that identifies a purpose the role serves in common with other roles. Typically, a tag specifies a role type and an application to which the role applies, such as Financials - Job Roles.
If you select a duty-role category, you cannot assign the role you are creating directly to users. To assign it, you would include it in the hierarchy of a job or abstract role, then assign that role to users.
Optionally, describe the role in the Description field.
Adding Function Security Policies
Configuring the Role Hierarchy
A Role Hierarchy page displays either a visualization graph, with the role you are creating as its focus, or a visualization table. Select the Show Graph button or View as Table button to select between them. In either case, link the role you are creating to other roles from which it is to inherit function and data security privileges.
If you are creating a duty role, you can add duty roles or aggregate privileges to it. In effect, you are creating an expanded set of duties for incorporation into a job or abstract role.
If you are creating a job or abstract role, you can add aggregate privileges, duty roles, or other job or abstract roles to it.
To add a role:
Select Add Role.
In a Search field, select a combination of role types and enter at least three characters. The search returns values including items of the type you selected, whose names contain the characters you entered.
Select the role you want, and click Add Role Membership. You add not only the role you have selected, but also its entire hierarchy.
In the graph view, you can use the visualization Control Panel, Legend, and Overview tools to manipulate the nodes that define your role hierarchy.
Adding Users to Roles
On a Users page, you can select users to whom you want to assign a job or abstract role you are creating. (You cannot assign a duty role directly to users.)
To add a user:
Select Add User.
In a Search field, select the value Users or types of role in any combination and enter at least three characters. The search returns values including items of the type you selected, whose names contain the characters you entered.
Select a user or role. If you select a user, click Add User to Role. If you select a role, click Add Selected Users; this adds all its assigned users to the role you are creating.
The Users page lists all selected users. You can delete a user. You may, for example, have added all the users associated with a role. If you want to assign your new role only to some of them, you must delete the rest. To delete a user, click its x icon.
Copying and Editing Roles
Rather than create a role from scratch, you can copy a role, then edit the copy to create a new role. Or you can edit existing custom roles.
Initiate a copy or an edit from the Roles tab in the Security Console. Do either of the following:
Create a visualization graph and select any role in it. Right-click and select Copy Role or Edit Role.
Generate a list of roles in the Search Results column of the Roles page. Select one of them, and click its menu icon. In the menu, select Copy Role or Edit Role.
If you are copying a role, select one of two options in a Copy Option dialog:
Copy role: You copy only the role you have selected. The source role has links to roles in its hierarchy, and the copy inherits links to the original versions of those roles. If you select this option, subsequent changes to the inherited roles affect not only the source highest role, but also your copy.
Copy role and inherited roles: You copy not only the role you have selected, but also all of the roles in its hierarchy. Your copy of the highest role is connected to the new copies of subordinate roles. If you select this option, you insulate the copied role from changes to the original versions of the inherited roles.
Next, an editing train opens. You follow the same process in editing a role as you would to create one. However, note the following:
In the Basic Information page, a Predefined role box is checked if you selected the Edit Role option for a role shipped by Oracle. In that case, you can:
Add custom data security policies. Modify or remove those custom data security policies.
Add or remove users if the role is a job, abstract, or discretionary role.
You cannot:
Modify, add, or remove function security policies.
Modify or remove data security policies provided by Oracle.
Modify the role hierarchy.
The Predefined role check box is cleared if you are editing a custom role or if you have copied a role. In that case, you can make any changes to role components.
By default, the name and code of a copied role match the source role's, except a prefix, suffix, or both are appended. In the Roles Administration page, you can configure the default prefix and suffix for each value.
A copied role cannot inherit users from a source job or abstract role. You must select users for the copied role. (They may include users who belong to the source role.)
When you copy a role, the Role Hierarchy page displays all roles subordinate to it. However, you can add roles only to, or remove them from, the highest role you copied.
To monitor the status of a role-copy job, select the Administration tab, and then the Role Copy Status tab of the Administration page.
Copying a Top Role
When you copy a role on the Security Console, you select one of the following options:
Copy top role
Copy top role and inherited roles
If you select the Copy top role option, then only the top role from the selected role hierarchy is copied. Memberships are created for the copy in the roles of which the original is a member. That is, the copy of the top role references the inherited role hierarchy of the source role. Any changes made to those inherited roles appear in both the source role and the copy. Therefore, you must take care when you edit the role hierarchy of the copy. You can:
Add roles directly to the copy without affecting the source role.
Remove any role from the copy that it inherits directly without affecting the source role. However, if you remove any role that's inherited indirectly by the copy, then any role that inherits the removed role's parent role is affected.
Add or remove function and data security privileges that are granted directly to the copy of the top role.
If you copy a custom role and edit any inherited role, then the changes affect any role that inherits the edited role.
The option of copying the top role is referred to as a shallow copy, where the copy references the same instances of the inherited roles as the source role. No copies are made of the inherited roles.
The option of copying the top role is referred to as a shallow copy. This figure summarizes the effects of a shallow copy. It shows that the copy references the same instances of the inherited roles as the source role. No copies are made of the inherited roles.
You're recommended to create a shallow copy unless you must make changes that could affect other roles or that you couldn't make to predefined roles. To edit the inherited roles without affecting other roles, you must first make copies of those inherited roles. To copy the inherited roles, select the Copy top role and inherited roles option.
Copy a Top Role and the Inherited Roles
Selecting Copy top role and inherited roles is a request to copy the entire role hierarchy. These rules apply:
Inherited aggregate privileges are never copied. Instead, membership is added to each aggregate privilege for the copy of the source role.
Inherited duty roles are copied if a copy with the same name doesn't already exist. Otherwise, membership is added to the existing copies of the duty roles for the new role.
When inherited duty roles are copied, custom duty roles are created. Therefore, you can edit them without affecting other roles. Equally, changes made subsequently to the source duty roles don't appear in the copies of those roles. For example, if those duty roles are predefined and are updated during upgrade, then you may have to update your copies manually after upgrade.
This option is referred to as a deep copy, where copies of the inherited duty roles with the same name don't already exist. Therefore, the inherited duty roles are copied when you copy the top role. Aggregate privileges are referenced from the new role.
Copying Job and Abstract Roles
You can copy any job role or abstract role and use it as the basis for a custom role. Copying roles is more efficient than creating them from scratch, especially if your changes are minor.
On the Roles tab of the Security Console, search for the role to copy.
Select the role in the search results. The role hierarchy appears in tabular format by default.
Tip: Tip: Click the Show Graph icon to show the hierarchy in graphical format.In the search results, click the down arrow for the selected role and select Copy Role.
In the Copy Options dialog box, select a copy option.
Click Copy Role.
On the Copy Role: Basic Information page, review and edit the Role Name, Role Code, and Description values, as appropriate.
Tip: The role name and code have the default prefix and suffix for copied roles specified on the Roles subtab of the Security Console Administration tab. You can overwrite these values for the role that you're copying. However, any roles inherited by the copied role are unaffected by any name changes that you make on the Copy Role: Basic Information page.Click the Summary and Impact Report train stop.
Click Submit and Close, then OK to close the confirmation message.
Review the progress of your copy on the Role Copy Status subtab of the Security Console Administration tab. Once the status is Complete, you can edit the copied role.
If you prefer, you can visit the intermediate train stops after the Copy Role: Basic Information page and edit your copy of the role before you save it.
Editing Job and Abstract Roles
You can create a role by copying a predefined job role or abstract role and editing the copy.
On the Roles tab of the Security Console, search for and select your custom role.
In the search results, click the down arrow for the selected role and select Edit Role.
On the Edit Role: Basic Information page, you can edit the role name and description, but not the role code.
Click Next.
On the Edit Role: Functional Security Policies page, any function security privileges granted to the copied role appear on the Privileges tab. Select a privilege to view details of the code resources that it secures in the Details section of the page.
The Resources tab, which is read-only, lists any resources granted to the role directly rather than through function security privileges. As you can't grant resources directly to roles on the Security Console, only resource grants created before Release 12 could appear on this tab. You can't edit these values.
Make no changes on the Copy Role: Data Security Policies page.
Note: Whether this page is enabled for edit depends on the current setting of the Enable edit of data security policiesoption. Set this option on the Roles subtab of the Security Console Administration tab.
Click Next.
The Edit Role: Role Hierarchy page shows the copied role and its inherited aggregate privileges and duty roles. The hierarchy is in tabular format by default. You can add or remove roles.
To remove a role:
Select the role in the table.
Click the Delete icon.
Click OK to close the confirmation message.
To add a role:
Click the Add Role icon.
In the Add Role Membership dialog box, search for and select the role to add.
Click Add Role Membership.
Click OK to close the confirmation message.
Repeat from step 2 for additional roles.
Close the Add Role Membership dialog box.
The Edit Role: Role Hierarchy page shows the updated role hierarchy.
Click Next.
To provision the role to users, you must create a role mapping. Don't provision the role to users on the Security Console.
Click Next.
Copying and Editing Duty Roles
You can copy a duty role and edit the copy to create a duty role. Copying duty roles is the recommended way of creating duty roles.
On the Roles tab of the Security Console, search for the duty role to copy.
Select the role in the search results. The role hierarchy appears in tabular format by default.
Tip: Click the Show Graph icon to show the hierarchy in graphical format.
In the search results, click the down arrow for the selected role and select Copy Role.
In the Copy Options dialog box, select a copy option.
Click Copy Role.
On the Copy Role: Basic Information page, edit the Role Name, Role Code, and Description values, as appropriate.
Tip: The role name and code have the default prefix and suffix for copied roles specified on the Roles subtab of the Security Console Administration tab. You can overwrite these values for the role that you're copying. However, any roles inherited by the copied role are unaffected by any name changes that you make on the Copy Role: Basic Information page.
Click the Summary and Impact Report train stop.
Click Submit and Close, then OK to close the confirmation message.
Review the progress of your copy on the Role Copy Status subtab of the Security Console Administration tab. Once the status is Complete, you can edit the copied role
To edit the role:
On the Roles tab of the Security Console, search for and select your copy of the duty role.
In the search results, click the down arrow for the selected role and select Edit Role.
On the Edit Role: Basic Information page, you can edit the role name and description, but not the role code.
Click Next.
On the Edit Role: Functional Security Policies page, any function security privileges granted to the copied role appear on the Privileges tab. Select a privilege to view details of the code resources that it secures.
The Resources tab, which is read-only, lists any resources granted to the role directly rather than through function security privileges. As you can't grant resources directly to roles on the Security Console, only resource grants created before Release 12 could appear on this tab. You can't edit these values.
Make no changes on the Edit Role: Data Security Policies page.
Click Next.
The Edit Role: Role Hierarchy page shows the copied duty role and any duty roles and aggregate privileges that it inherits. The hierarchy is in tabular format by default. You can add or remove roles.
To remove a role:
Select the role in the table.
Click the Delete icon.
Click OK to close the information message.
To add a role:
Click Add Role.
In the Add Role Membership dialog box, search for and select the role to add.
Click Add Role Membership.
Click OK to close the confirmation message.
Repeat from step 2 for additional roles.
Close the Add Role Membership dialog box.
The Edit Role: Role Hierarchy page shows the updated role hierarchy.
Click Next.
On the Edit Role: Summary and Impact Report page, review the summary of changes. Click Back to make corrections. Otherwise:
Click Save and Close to save the role.
Click OK to close the confirmation message.
The role is available immediately.