1. Using Access Certifications
  2. Create a Condition Scoping Filter

Create a Condition Scoping Filter

Condition filters select from a pool of roles and therefore exclude the roles they don't select.

  • If a certification uses top-down scoping, a condition filter selects from a pool that includes all assignable roles across all the data sources your organization has set up, or all the roles remaining after you've created a data-source filter. The only attribute available to a condition filter is Access Point, and the filter selects or excludes roles involving an access point you specify.

    For example, the condition filter Access Point Equals Accounts Payable Manager would select that one role and so exclude others. Or the condition filter Access Point Does Not Equal Accounts Payable Manager would exclude that role and accept others.

  • If a certification uses bottom-up scoping, a condition filter selects from a pool that includes roles returned by access-point or entitlement filters. (You're unable to submit your scoping filters if, for any data source, you've created a condition filter without also creating at least one access-point or entitlement filter.)

    For the Oracle Cloud data source, the Access Point attribute is available to condition filters, but so are other attributes that recognize definitions configured in the Manage Data Access for Users task in Oracle Fusion Functional Setup Manager. In that task, your organization defines the data access each user has when assigned a particular role. A condition filter may then allow a certification to scope that role, but only as it applies to users with the defined data access.

    For example, Manage Data Access for Users may specify that the assignment of a role to some users grants access only to data associated with a specific business unit. A certification may then scope that role, but if a condition filter sets a Business Unit attribute equal to that unit, the role is scoped only as assigned to those users.

    For the other data sources, only the Access Point attribute is available for condition filters. You can use it to include or exclude roles involving an access point you specify.

To create a condition filter:

  1. Click the Add button in the Scoping Filters region. A row appears.

  2. In the Object field of that row, select Access Condition for a condition that applies to the Oracle Cloud data source. Or, for any other data source, select that value prefixed by the name of the data source to which the condition applies, for example EPM ARCS Access Condition.

  3. In the Attribute field, select the attribute you want to base the condition on.

    • For top-down scoping, select Access Point.

    • For bottom-up scoping, select the Access Point attribute for a condition that applies to any data source. Or, for the Oracle Cloud data source, select any of the data-security attributes that depend on Manage Data Access for Users configurations: Asset Book, Business Unit, Control Budget, Cost Organization, Data Access Set, Intercompany Organization, Inventory Organization, Ledger, Legal Entity, Manufacturing Plant, and Reference Data Set.

  4. In the Condition field, select one in a set of predefined conditions:

    • Equals or Does not equal: Select records with attribute values that match, or don't match, a value you select.

    • Contains or Does not contain: Select records with attribute values whose names include, or don't include, a text string you compose.

    • Matches any of or Matches none of: Select records with attribute values whose names match one of any number of values you select, or match none of them. After you use either of these operators to select one value, an Add another value link appears; for each additional value you want to add to the filter, select from the list it presents.

  5. In the Values field, provide a value that completes the filter:

    • If the filter uses the Access Point attribute, then depending on the condition you selected, specify one or more roles, or a text string that a role name may or may not contain. If the condition requires a role name as a value, the Values field searches for role names that include the text you've typed, and you can select among search results.

    • If the filter uses any of the data-security attributes, then depending on the condition you selected, specify one or more values appropriate for the attribute. For example, for the Business Unit attribute, you'd specify one or more business-unit names, or a text string that a business-unit name may or may not contain.

Note:

In the Oracle Cloud data source, for certain privileges to grant functional access, a user must be granted both the privilege and a corresponding "action" as a "procurement agent" for a business unit. If you use bottom-up scoping, you may specify one of these privileges in an access-point filter, or the privilege may exist in an entitlement you specify in an entitlement filter. The filter returns job roles that include the privilege, but only as they apply to users who also have the appropriate procurement-agent action. Assignments of these roles to users who lack the procurement-agent action are automatically excluded from the certification. You don't need to create condition filters to implement these exclusions. See Exclusions Involving Procurement Agents to view a table listing the privileges and their related procurement-agent actions.