Overview of Provisioning Rules

Provisioning rules enable you to prevent the assignment of Oracle Cloud roles in combinations that cause separation-of-duties conflicts.

Each rule identifies two roles that conflict with one another. Rule results can inform decisions you make as you create roles or as you grant roles to users.

You can create these rules manually, focusing on role conflicts that are important to you. Or you can run a Generate Provisioning Rules job to generate rules automatically. It evaluates all your active access controls to create rules, one for each pair of conflicting roles identified by each control. (For each run, the Monitor Jobs page displays not only a listing for the Generate Provisioning Rules job, but also one or more listings for a related Auto Provisioning job.)

Once you've created provisioning rules, you can use them in two ways:

• As you create or edit a role in the Security Console, you can evaluate provisioning rules in a Separation of Duties page. This enables you to avoid creating roles that have inherent conflicts. Analysis in the Security Console returns conflicts when roles named in a provisioning rule exist anywhere in the role hierarchy of the role you're creating or editing.

• You can integrate rules with your user-provisioning workflow or process. To do that, you use a method available in an Oracle REST API. This method returns conflicts only when roles named in each provisioning rule are directly assigned to, or requested for, a user; it doesn't search through role hierarchies.