1. Using Access Certifications
  2. How Scoping Conditions Work Together

How Scoping Conditions Work Together

No matter whether you use top-down or bottom-up scoping, you can create any number of condition filters. They have an OR relationship to one another, so roles that seem to be excluded by one can be selected by another.

Filters must be all-inclusive or all-exclusive to prevent conflicting logic. So if your first condition filter uses the Equals, Contains, or Matches any of condition, each subsequent filter must use any of those three conditions. If the first condition filter uses the Does not equal, Does not contain, or Matches none of condition, each subsequent filter must use any of those three conditions.

Here are two examples:

  • Available roles may include Accounts Payable Supervisor and Accounts Payable Manager. A condition filter may use the Access Point attribute to select the Supervisor role; it would, by itself, exclude the Manager role. But a second condition filter may use the Access Point attribute to select the Manager role. As a result, both roles would be included in the certification project.

  • User1 and User2 are assigned the Accounts Receivable Specialist role. But in Manage Data Access for Users, the assignment to User1 is defined as applying only to data appropriate for a business unit called Europe. The assignment to User2 is defined as applying to a business unit called America. The condition filter Business Unit Contains Europe would, on its own, scope the role as it's assigned to User1, and exclude User2. But a second filter, Business Unit Contains America, would select the assignment to User2, and so the role assignment to both users would be scoped for the certification.

If you use a negative condition (Does not equal, Does not contain, or Matches none of), take care that condition filters don't return unexpected results.

For example, you may want to scope only assignments of the Accounts Receivable Specialist role to users working in business units other than Europe and America. You want, therefore, to exclude the assignments to User1 and User2. So you may create the filters Business Unit Does not contain Europe and Business Unit Does not contain America. But these filters would in fact scope the role assignments to these two users: The filter that excludes Europe would accept the American (User2), and the filter that excludes America would accept the European (User1).

To achieve the effect you want, you should instead create a filter specifying Business Unit Matches none of Europe, America.

Additional considerations apply to filters that use the data-security conditions:

  • Your inclusion or exclusion of one role may be inherited by another related role.

    For example, a US Accounts Payable Manager role may be both assignable to users on its own, and included in the role hierarchy of a second role, Accounts Payable North America. Manage Data Access to Users may specify that the assignment of US Accounts Payable Manager to some users grants access only to data associated with the America business unit.

    The filter Business Unit Equals America would select assignments not only of US Accounts Payable, but also of Accounts Payable North America, to those users.

    Note, though, that a certification owner may have selected attributes for display in the certifier worksheet. Appropriate values are displayed in the records of role assignments to users. Each value appears only in records of roles to which the value is assigned directly, not in records of inherited roles. In this example, assume the owner has selected Business Unit as a display attribute. The value America would appear in records of the assignment of US Accounts Payable Manager to users. It wouldn't appear in records of assignments of Accounts Payable North America to users.

  • Although Manage Data Access for Users defines the data available to a user assigned a role, in some cases other security configuration, such as data security policies, may expand the definition created in Manage Data Access for Users.

    For example, suppose User3 is assigned the Accounts Receivable Manager role. In Manage Data Access for Users, the assignment is restricted to data associated with the business unit called AR Brazil. Suppose User3 is also assigned the Accounts Payable Manager role. In Manage Data Access for Users, the assignment is restricted to data associated with the business unit called AP Italy. Owing to data-security-policy configuration, while in an AR Receipts page, User3 would see data only for AR Brazil, but while in an AP invoice page, User3 would see data for both AR Brazil and AP Italy.