1. Using Advanced Controls
  2. Use Dashboards to Work with Role Requests

Use Dashboards to Work with Role Requests

When you open any of the three Advanced Access Requests work areas, the landing page is a dashboard.

  • The My Access Requests dashboard presents records of requests you've made for yourself or for others, as well as requests others have made on your behalf.
  • The Access Request Reviews dashboard displays records of requests you've been selected to review.
  • The Access Request Approvals dashboard (shown here as an example) contains records of requests for which you're an eligible request approver.
The Access Request Approvals dashboard displays records of four role requests.

Each record shows the name of a user for whom a request has been made, an ID number for the request, and a "badge" that displays the number of controls that have been violated. (A badge might state "Queued" if the request is so new that the Advanced Access Request Analysis job hasn't yet run against it, or "Analyzing" if analysis is under way.)

Records are categorized by status. You click a filtering option to view request records that include roles whose approval has reached the status you select. In this example, the New Requests option is selected, so you see requests that include roles for which no action has yet been taken. (See "Filtering," below.)

View Request Summaries

To view summary information about a request, click its request ID in a dashboard. Here's an example of a summary record opened from the Access Request Approvals dashboard. A single role, Accounts Payable Manager, has been requested, along with the Business Unit security context. (More on security contexts a little later.) Its badge ("1 violation") shows that if granted, the role assignment would violate one control.

A record of a role request has been selected in the Access Request Approvals dashboard. This produces a summary of the request.

Even though a summary record applies to a single request, it also provides status-based filtering options. That's to accommodate multiple-role requests.

Filtering

A single request may be for more than one role, and the approval process for those roles may be at more than one status. You filter by status for the requests you want to work with.

  • In the My Access Requests and Access Request Approvals dashboards, the filter for a given status returns all request records that include any roles at that status. This means that the record for a multiple-role request ID may be selected by more than one filter.

    For example, suppose that a request includes two roles. The result approver has assigned one to a reviewer, but has not yet done anything with the other. A record of the request would appear if you were to select either the New Requests filter or the Pending Review filter.

    The Access Request Reviews dashboard is an exception: It offers no filtering options. That's because it displays only records at the Pending Review status, so there's no other status to filter for.

  • In a summary record, you can filter by status for roles included in the single request whose summary you're viewing.

    These filters differ somewhat from those available in the dashboards, enabling you to revisit role requests on which you've already worked. For example, while the Access Request Reviews dashboard has no filtering options, a summary record opened from that dashboard has three filters, not only Pending Review, but also Accepted Risks and Declined Risks.

View Request Details

From a summary record, you can open a drawer that displays full details for a role you select. If the role you want to work with isn't already on display, select a status filter that returns it. Then click on its name. The drawer opens with the requested role as its heading, and the summary record in the background. (To improve readability, the remaining illustrations show only the drawer.)

The details drawer for a role request has been opened. By default an Approvals tab is selected, showing the history of work on the request.

Click tabs to view types of information you want to see. When you select a tab, its name is underlined and boldfaced. Approvals and Data Requests are tabs available in records opened from any dashboard. Additional tabs are available only in records opened from the Access Request Reviews and Access Request Approvals dashboards. These include Control Violations, Conflicting Roles, and Worker Info.

  • Approvals is the default tab when you open a drawer. In this view, you initially see a list of request approvers (all users assigned the Access Request Security Administrator role). Any one of them may act on the request. When one does, that approver takes responsibility for the request, and other approvers are removed.

    From then on, the Approvals view shows a history of work on the request. In the previous illustration, for example, the bottom row shows that the request approver, Eugene Onegin, assigned a reviewer. (The badge for this row says "Assigned.") The middle row shows that the reviewer, Hans Sachs, has recommended approval. (Its badge says "Accepted risk.") The top row shows that the request awaits final action by the request approver. (Its badge says "Pending Approval.") The middle column in each row shows the date and time when the action occurred, and comments written by the actor.

  • Select Data Requests to see the data-security definition configured for the role when it was requested.

    At minimum, a data request consists of two components: A "security context" may be Asset Book, Business Unit, Data Access Set, Ledger, or Reference Data Set. A "security value" is an item appropriate for one of these contexts, configured by your organization. If the role request were approved, it would grant access only to data associated with the security value. For example, if a role request includes the Business Unit context and the name of a business unit as its security value, it would apply only to data pertaining to that unit.

    However, data requests can be more complex. First, the person who requests a role can select any number of security values for a security context. The role would then provide access to data records associated with any of the values. (In the following illustration, for example, the security context is Business Unit, and there are two security values, Vision USA and Vision Mexico.)

    In the details drawer for a role request, the Data Requests tab is selected. It displays two business units that have been selected as security values for the request.

    Second, the requester can select any number of security contexts, with values appropriate to each. To do so, the requester creates multiple requests for a role, each selecting security values for a distinct security context. The role would then provide access to data records that satisfy values selected for any of the contexts. However, this isn't a common occurrence. Typically, a single security context is appropriate for a role.

  • Select Control Violations to see the names of the access controls violated by the role request. You'll also see counts of the violated controls and the total number of evaluated controls.

  • Select Conflicting Roles to see a list of roles that would conflict with the requested role if the request were approved. For each role, you can also read a description. A long description may be truncated, but you can hover over it to see it in full.

    In the following illustration, the Conflicting Roles tab is selected. The requested role appears as the heading, and each role in the Conflicting Roles list conflicts with it. So although the status badge for this request indicates one control has been violated (and you could confirm this by clicking the Control Violations tab), this request involves two conflicts.

    In the details drawer for a role request, the Conflicting Roles tab is selected, and a list of conflicting roles is on display.

    Note that it's possible for a requested role to conflict with itself. Here, for example, Accounts Payable Manager appears as both the requested role and one of the conflicting roles. This is an example of what's known as an "intrarole" conflict: A role on its own includes access points (privileges in this case) that an access control defines as conflicting.

  • Select Worker Info to see information about two people. On the left, this view identifies the user for whom the role is requested, and on the right, that user's manager. For each, it displays the first and last name, job title, email address, and telephone number. For the user, the view also displays the legal employer, business unit, and department. All of this information is taken from the user's employee record in Human Capital Management. If a request approver decides to submit this request for review, the manager is the default selection for reviewer.

To close the details drawer, click its deletion (×) icon. To return from a summary page to a dashboard, click the View Dashboard button.