1. Using Advanced Controls
  2. Overview of Advanced Access Requests

Overview of Advanced Access Requests

Advanced Access Requests implements a self-service workflow for requesting and assigning ERP roles. As steps in this workflow, access controls perform separation-of-duties and sensitive-access analysis, and a review-and-approval process takes place.

Your current provisioning process might involve four manual steps: First, use the Security Console to assign Fusion roles to ERP users. Second, use the Manage Data Access for Users task in Functional Setup Manager to set data security for the role assignments. Third, check for SOD and sensitive-access policy violations. And last, document business-owner approvals, for example via email.

But Advanced Access Requests replaces these steps. Here's how it works:

Flow diagram shows tasks involved in using Advanced Access Requests.

You request one or more roles either for yourself or for another user. You can request any role that can be assigned directly to a user, such as a job, data, or abstract role. Along with the role, you may make data requests, which define a set of data records the user can create or work with. For example, these might be records associated with a business unit you specify. If the request were to be granted, the user's authorization for the role would apply only to those records.

An Advanced Access Request Analysis job then evaluates access controls to uncover SOD violations. Requested roles may conflict either with each other or with a user's already-assigned roles. The job runs on a schedule, although you can run it on demand in the Scheduling page of Risk Management Setup and Administration. In either case, it analyzes all requests that have accumulated since its previous run. When the job finishes running, Advanced Access Requests reports the number of control violations for each role request. It also names the controls that have found violations, identifies the roles that conflict, and provides related data.

The person who makes final decisions about requests is known as a "request approver." But before deciding on a given request, the approver may select a reviewer for it. This person judges whether the risk is acceptable, and therefore if the request should be granted or refused. By default the reviewer is the manager of the user for whom the role has been requested. However, the request approver may select another person with an interest in the work the user would be doing. In any case, the reviewer's judgment isn't binding, and the review process is optional.

Regardless of whether the review step takes place, the request approver determines whether to approve or reject the role for the user. For each approved role, Advanced Access Requests automatically completes these tasks:

  • Updates the user's record in the Security Console to add the requested role. This happens whenever a role assignment is approved.
  • Creates a new record in the Manage Data Access for Users task of Functional Setup Manager. This record associates the user, role, and data request with one another. This happens only when an approved request includes a data request.
  • Creates incidents in the Results work area to track control violations, if the request has generated any.

The request approver can also remove roles from users to whom they're assigned. The approver may be responding to requests by business owners or to removal reports generated by analysis in Oracle Fusion Cloud Access Certifications.