1. Using Advanced Controls
  2. Use Dashboards to Work with Role Requests

Use Dashboards to Work with Role Requests

When you open any of the three Advanced Access Requests work areas, the landing page is a dashboard.

  • The My Access Requests dashboard presents records of requests you've made for yourself or for others, as well as requests others have made on your behalf.
  • The Access Request Reviews dashboard displays records of requests you've been selected to review.
  • The Access Request Approvals dashboard (shown here as an example) contains records of requests for which you're an eligible request approver.
The Access Request Approvals dashboard displays records of four role requests.

Each record shows the name of a user for whom a request has been made, an ID number for the request, and a "badge" that displays the number of controls that have been violated. (A badge might state "Queued" if the request is so new that the Advanced Access Request Analysis job hasn't yet run against it, "Analyzing" if analysis is under way, or "No active controls" if no access controls were active when the job was run.)

Records are categorized by status. You click a filtering option to view request records that include roles whose approval has reached the status you select. In this example, the New Requests option is selected, so you see requests that include roles for which no action has yet been taken. (See "Filtering," below.)

View Request Summaries

To view summary information about a request, click its request ID in a dashboard. Here's an example of a summary record opened from the Access Request Approvals dashboard. A single role, Accounts Payable Manager, has been requested, along with the Business Unit security context. (More on security contexts a little later.) Its badge ("1 violation") shows that if granted, the role assignment would violate one control.

A record of a role request has been selected in the Access Request Approvals dashboard. This produces a summary of the request.

Even though a summary record applies to a single request, it also provides status-based filtering options. That's to accommodate multiple-role requests.

Filtering

A single request may be for more than one role, and the approval process for those roles may be at more than one status. You filter by status for the requests you want to work with.

  • In the My Access Requests, Access Request Reviews, and Access Request Approvals dashboards, the filter for a given status returns all records of role requests at that status. This means that the record for a multiple-role request ID may be selected by more than one filter.

    For example, suppose that a request includes two roles. The result approver has assigned one to a reviewer, but has not yet done anything with the other. A record of the request would appear if you were to select either the New Requests filter or the Pending Review filter.

  • In a summary record, you can filter by status for roles included in the single request whose summary you're viewing, enabling you to revisit requests on which you've already worked. For example, a summary record opened from the Access Request Reviews dashboard has three filters, not only Pending Review but also Accepted Risks and Declined Risks.

View Request Details

From a summary record, you can open a drawer that displays full details for a role you select. If the role you want to work with isn't already on display, select a status filter that returns it. Then click on its name. The drawer opens with the requested role as its heading, and the summary record in the background. (To improve readability, the remaining illustrations show only the drawer.)

The details drawer for a role request has been opened. By default an Approvals tab is selected, showing the history of work on the request.

Click tabs to view types of information you want to see. When you select a tab, its name is underlined and boldfaced. Approvals and Data Requests are tabs available in records opened from any dashboard. Additional tabs are available only in records opened from the Access Request Reviews and Access Request Approvals dashboards. These include Control Violations, Conflicting Roles, and Worker Info.

  • Approvals is the default tab when you open a drawer. In this view, you initially see a list of request approvers (all users assigned the Access Request Security Administrator role). Any one of them may act on the request. When one does, that approver takes responsibility for the request, and other approvers are removed.

    From then on, the Approvals view shows a history of work on the request. In the previous illustration, for example, the bottom row shows that the request approver, Eugene Onegin, assigned a reviewer. (The badge for this row says "Assigned.") The middle row shows that the reviewer, Hans Sachs, has recommended approval. (Its badge says "Accepted risk.") The top row shows that the request awaits final action by the request approver. (Its badge says "Pending....") Each row shows the date and time when the action occurred, and comments written by the actor.

  • Select Data Requests to see the data-security definition configured for the role when it was requested.

    At minimum, a data request consists of two components: A "security context" may be Asset Book, Business Unit, Data Access Set, Ledger, or Reference Data Set. A "security value" is an item appropriate for one of these contexts, configured by your organization. If the role request were approved, it would grant access only to data associated with the security value. For example, if a role request includes the Business Unit context and the name of a business unit as its security value, it would apply only to data pertaining to that unit.

    However, data requests can be more complex. First, the person who requests a role can select any number of security values for a security context. The role would then provide access to data records associated with any of the values. In the following illustration, for example, the security context is Business Unit, and there are two security values, Vision USA and Vision Mexico.

    In the details drawer for a role request, the Data Requests tab is selected. It displays two business units that have been selected as security values for the request.

    Second, the requester can select any number of security contexts, with values appropriate to each. To do so, the requester creates multiple requests for a role, each selecting security values for a distinct security context. The role would then provide access to data records that satisfy values selected for any of the contexts. However, this isn't a common occurrence. Typically, a single security context is appropriate for a role.

  • Select Control Violations to see the names of the access controls violated by the role request. You'll also see counts of the violated controls and the total number of evaluated controls. Or, if no access controls were active when the Advanced Access Request Analysis job was run for the request, an entry tells you so.

  • Select Conflicting Roles to see a list of roles that would conflict with the requested role if the request were approved. Or, if no access controls were active when the Advanced Access Request Analysis job was run for the request, an entry tells you so.

    In the following illustration, active access controls have performed risk analysis for a role request, and the Conflicting Roles tab is selected. The requested role appears as the heading, and each role in the Conflicting Roles list conflicts with it. The entry for each conflicting role includes a description. A long description may be truncated, but you can hover over it to see it in full.

    In the details drawer for a role request, the Conflicting Roles tab is selected, and a list of conflicting roles is on display.

    Two things to note:

    • The number of conflicts may (and often does) differ from the number of controls that have found conflicts. For example, the status badge for this request indicated that one control had been violated. (This badge appears in the summary record of the request shown in the "View Request Summaries" section of this topic.) Even so, as this Conflicting Role tab shows, the one control has detected two conflicts.

    • It's possible for a requested role to conflict with itself. Here, for example, Accounts Payable Manager appears as both the requested role and one of the conflicting roles. This is an example of what's known as an "intrarole" conflict: A role on its own includes access points (privileges in this case) that an access control defines as conflicting.

  • Select Worker Info to see information about two people. On the left, this view identifies the user for whom the role is requested, and on the right, that user's manager. For each, it displays the first and last name, job title, email address, and telephone number. For the user, the view also displays the legal employer, business unit, and department. All of this information is taken from the user's employee record in Human Capital Management. If a request approver decides to submit this request for review, the manager is the default selection for reviewer.

To close the details drawer, click its deletion (×) icon. To return from a summary page to a dashboard, click the View Dashboard button.