1. Securing Risk Management
  2. Create Risk Management Roles in the Security Console

Create Risk Management Roles in the Security Console

You can use the Security Console to create Oracle Fusion Cloud Risk Management job or duty roles.

In many cases, an efficient method of creating a role is to copy an existing role, then edit the copy to meet your requirements. Typically, you'd create a role from scratch if no existing role is similar to the role you want to create.

To create a role from scratch, select the Roles tab in the Security Console, then click the Create Role button. Enter values in a series of role-creation pages, selecting Next or Back to navigate among them.

Provide Basic Information

On the Basic Information page:

  1. In the Role Name field, create a display name, for example North America Risk Manager.

  2. In the Role Code field, create an internal name for the role, such as GRC_NA_RISK_MGR_JOB.

    Note: Don't use "ORA_" as the beginning of a role code. This prefix is reserved for roles predefined by Oracle. You can't edit a role with the ORA_ prefix.

  3. In the Role Category field, select a tag that identifies a purpose the role serves in common with other roles. Typically, a tag specifies a role type and an application the role applies to. For Oracle Risk Management, appropriate tags are "GRC - Job Roles" and "GRC - Duty Roles."

    If you select the duty-role category, you can't assign the role you're creating directly to users. To assign it, you'd include it in the hierarchy of a job role, then assign that role to users.

  4. Optionally, describe the role in the Description field.

Add Function Security Policies

A function security policy selects a set of functional privileges; each permits use of a field or other user-interface feature. On a Function Security Policies page, you may define a policy for a duty role. The policy selects functional privileges to be inherited by other roles the duty role belongs to. Typically, you don't add function security policies directly to a job role.

As you define a policy, you can either add an individual privilege or copy all the privileges that belong to an existing role:

  1. Select Add Function Security Policy.

  2. In a Search field, select the Privileges value or role types in any combination, and enter at least three characters. The search returns items of the types you selected, whose names contain the characters you entered.

  3. Select a privilege or role. If you select a privilege, click Add Privilege to Role. If you select a role, click Add Selected Privileges.

The Function Security Policies page lists all selected privileges. When appropriate, it also lists the role a privilege is inherited from. You can:

  • Click a privilege to view details of the code resource that it secures.

  • Delete a privilege. If, for example, you added the privileges associated with a role, but want to use only some of them, you must delete the rest. To delete a privilege, click its deletion icon (×).

Data Security Policies

Data security policies apply to Oracle Cloud applications other than Oracle Risk Management. If you're creating a Risk Management role, make no entries in the Data Security Policies page. Simply click Next to move to the next page.

Configure the Role Hierarchy

In a Role Hierarchy page, you link the role you're creating to other roles from which it's to inherit functional privileges.

  • If you're creating a duty role, you can add duty roles to it. In effect, you're creating an expanded set of duties for incorporation into a job role.

  • If you're creating a job role, you can add duty roles to it.

The page displays either a visualization table or a visualization graph with the role you're creating as its focus. Select the Show Graph button or View as Table button to select between them. However, you can add roles only when the visualization table is selected.

To add a role:

  1. Ensure that View as Table is selected. Then click the Add Role option.

  2. In a Search field, select a combination of role types, and enter at least three characters. The search returns items of the types you selected, whose names contain the characters you entered.

  3. Select the role you want, and click Add Role Membership. You add not only the role you've selected, but also its entire hierarchy.

In the graph view, you can use the visualization Control Panel, Legend, and Overview tools to manipulate the nodes that define your role hierarchy.

Run Separation of Duties Analysis

On a Separation of Duties page, you can determine whether the hierarchy of the role you're creating includes separation of duties conflicts. These are pairs of roles that would allow an individual user to complete tasks that involve risk.

Note, however:

  • Separation of duties conflicts are defined by provisioning rules. You would use the Separation of Duties page only if your organization uses Oracle Fusion Cloud Advanced Controls to create those provisioning rules.

  • The Separation of Duties page is active only if your organization has set an ASE_SEGREGATION_OF_DUTIES_SETTING profile option to Yes in the Manage Administrator Profile Values page of Oracle Fusion Functional Setup Manager. (It would be appropriate for the option to be set to No if your organization doesn't use provisioning rules.)

If these two conditions are met, click the Analyze button. The Separation of Duties page then lists pairs of roles that provisioning rules define as conflicting. You'd be expected to return to the Role Hierarchy page to remove one role from each pair.

However, no validation is performed to confirm that you've done so. Be aware, therefore, that if you don't perform this role cleanup, you're creating a role that can't be assigned to any user without creating what your organization considers to be a separation of duties conflict.

Add Users

On a Users page, you can select users to whom you want to assign a job role you're creating. (You don't assign a duty role directly to users.)

When you add a user to a job role, he or she can access pages to which the role grants functional access. Data appears in data-secured pages, however, only when the user creates records (if the role grants that capability) or is selected for records by owners of those records.

To add a user:

  1. Select Add Users.

  2. In a Search field, select the value Users or types of role in any combination, and enter at least three characters. The search returns items of the types you selected, whose names contain the characters you entered.

  3. Select a user or role. If you select a user, click Add User to Role. If you select a role, click Add Selected Users; this adds all its assigned users to the role you're creating.

The Users page lists all selected users. You can delete a user. You may, for example, have added all the users associated with a role. But you may intend to assign your new role only to some of them, and so must delete the rest. To delete a user, click its deletion icon (×).

Complete the Role

On a Summary and Impact Report page, review the selections you've made. Summary listings show the numbers of function security policies, roles, and users you've added and removed. An Impact listing shows the number of roles and users affected by your changes. Expand any of these listings to see names of policies, roles, or users included in its counts.

If you determine you want to make changes, navigate back to the appropriate page and do so. If you're satisfied with the role, select Save and Close.

Related Topics