Overview of Advanced Access Requests
Advanced Access Requests implements a self-service workflow for requesting and assigning ERP roles. As steps in this workflow, access controls may perform separation-of-duties and sensitive-access analysis, and a review-and-approval process takes place.
Your current provisioning process might involve four manual steps: First, use the Security Console to assign Fusion roles to ERP users. Second, use the Manage Data Access for Users task in Functional Setup Manager to set data security for the role assignments. Third, check for SOD and sensitive-access policy violations. And last, document business-owner approvals, for example via email. But Advanced Access Requests replaces these steps. Here's how it works:
You request one or more roles, either for yourself or for another user. You can request any role that can be assigned directly to a user, such as a job, data, or abstract role. The request can be for a standard assignment, or for a temporary assignment to address ad hoc tasks such as IT troubleshooting or period-end transactions. A temporary assignment has a specified end date, and a standard assignment does not.
Along with the role, you may request data permissions, which define a set of data records the user can create or work with. For example, these might be records associated with a business unit you specify. If the request were to be granted, the user's authorization for the role would apply only to those records.
Your request and those of other requesters accumulate until an Advanced Access Request job processes them. The job runs on a schedule, although you can also run it on demand in the Scheduling page of Risk Management Setup and Administration.
-
The job runs access controls to uncover SOD and sensitive-access issues. This analysis applies to requests for standard assignments, and only if one or more access controls are active. Requested roles may conflict either with each other or with a user's already-assigned roles. When the job finishes running, Advanced Access Requests reports the number of control violations for each role request. It also names the controls that have found violations, identifies the roles that conflict, and provides related data.
-
The job bypasses access analysis for temporary-access requests even if access controls are active, or for any requests if no access controls are active.
In either case, a review-and-approval process ensues. The person who makes final decisions about requests is known as a "request approver." Before deciding on a given request, the approver may select a reviewer for it. This person judges whether the risk (or the absence of risk analysis) is acceptable, and therefore if the request should be granted or refused. By default the reviewer is the manager of the user for whom the role has been requested. However, the request approver may select another person with an interest in the work the user would be doing. In any case, the reviewer's judgment isn't binding, and the review process is optional.
Regardless of whether the review step takes place, the request approver determines whether to approve or reject the role for the user. For each approved role, Advanced Access Requests automatically completes these tasks:
- Updates the user's record in the Security Console to add the requested role. This happens whenever a role assignment is approved.
- Creates a new record in the Manage Data Access for Users task of Functional Setup Manager. This record associates the user, role, and data permissions with one another. This happens only when an approved request includes a data definition.
- Creates incidents in the Results work area to track control violations, if the request has generated any.
The request approver can also remove roles from users to whom they're assigned. The approver may be responding to requests by business owners or to removal reports generated by analysis in Oracle Fusion Cloud Access Certifications.