1. Using Advanced Controls
  2. Use Dashboards to Work with Role Requests

Use Dashboards to Work with Role Requests

Among the work areas in the Risk Management springboard, three apply to Advanced Access Requests. Access to them depends on the roles users are assigned. The landing page for each is a dashboard.

  • A My Access Requests dashboard presents records of requests you've made for yourself or for others, as well as requests others have made on your behalf.
  • An Access Request Reviews dashboard displays records of requests you've been selected to review.
  • An Access Request Approvals dashboard contains records of requests for which you're an eligible request approver.

Each record in a dashboard shows the name of a user for whom a request has been made, an ID number for the request, and a "badge" that displays the number of controls that have been violated. (A badge might state "Queued" if the request is so new that the Advanced Access Request Analysis job hasn't yet run against it, "Analyzing" if analysis is under way, or "No active controls" if no access controls were active when the job was run.)

Records are categorized by status. You click a filtering option to view request records that include roles whose approval has reached the status you select. (See "Filtering," below.)

View Request Summaries

To view summary information about a request, click its request ID in a dashboard.

The summary record displays the name of the user for whom the request is made, the request ID and date, and its justification (a brief statement written when the request was made). For each requested role, it displays the role name, a security context (more on security contexts a little later), and a badge showing the number of access controls the role assignment would violate.

A special case: For certain privileges that grant access to Procurement functionality, a user must have both the privilege and a corresponding action as a procurement agent for a business unit. If a requested role includes such privileges, a field labeled Procurement Agent Access appears in the summary record available to approvers and reviewers, beneath the Request Date field. For more on this, see Review a Role Request and Assign Reviewers and Approve Role Requests.

Even though a summary record applies to a single request, it also provides status-based filtering options. That's to accommodate multiple-role requests.

Filtering

A single request may be for more than one role, and the approval process for those roles may be at more than one status. You filter by status for the requests you want to work with.

  • In the My Access Requests, Access Request Reviews, and Access Request Approvals dashboards, the filter for a given status returns all records of role requests at that status. This means that the record for a multiple-role request ID may be selected by more than one filter.

    For example, suppose that a request includes two roles. The result approver has assigned one to a reviewer, but has not yet done anything with the other. A record of the request would appear if you were to select either the New Requests filter or the Pending Review filter.

  • In a summary record, you can filter by status for roles included in the single request whose summary you're viewing, enabling you to revisit requests on which you've already worked. For example, a summary record opened from the Access Request Reviews dashboard has three filters, not only Pending Review but also Accepted Risks and Declined Risks.

View Request Details

From a summary record, you can open a drawer that displays details for a role you select. If the role you want to work with isn't already on display, select a status filter that returns it. Then click on its name. The drawer opens with the requested role as its heading.

Click tabs to view types of information you want to see. When you select a tab, its name is underlined and boldfaced. Approvals and Data Permissions tabs are available in records opened from any dashboard. Additional tabs are available only in records opened from the Access Request Reviews and Access Request Approvals dashboards. These include Control Violations, Conflicting Roles, and Worker Info, and may include Role Briefing.

  • Approvals is the default tab when you open a drawer. In this view, you initially see a list of request approvers (all users assigned the Access Request Security Administrator role). Any one of them may act on the request. When one does, that approver takes responsibility for the request, and other approvers are removed.

    From then on, the Approvals tab displays rows that form a history of work on the request. Each row identifies an approver or a reviewer, and displays a badge indicating the status of an action that person is responsible for. When that person completes the action, another row is added, identifying the next person with a task to perform. Each row shows the date and time when an action occurred, and comments written by the actor.

  • Select Data Permissions to see the data-security definition configured for the role request. At minimum, a request for data permissions consists of two components.

    • A "security context" may be any of these labels: Asset Book, Business Unit, Control Budget, Cost Organization, Data Access Set, Intercompany Organization, Inventory Organization, Ledger, Legal Entity, Manufacturing Plant, or Reference Data Set.

    • A "security value" is an item appropriate for one of these contexts, configured by your organization. If the role request were approved, it would grant access only to data associated with the security value.

    For example, if a role request includes the Business Unit context and the name of a business unit as its security value, it would apply only to data pertaining to that unit.

    However, data permissions can be more complex. First, the person who requests a role can select any number of security values for a security context. The role would then provide access to data records associated with any of the values.

    Second, the requester can select any number of security contexts, with values appropriate to each. To do so, the requester creates multiple requests for a role, each selecting security values for a distinct security context. The role would then provide access to data records that satisfy values selected for any of the contexts. However, this isn't a common occurrence. Typically, a single security context is appropriate for a role.

  • Select Control Violations to see the names of the access controls violated by the role request. You'll also see counts of the violated controls and the total number of evaluated controls. Or, if no access controls were evaluated when the Advanced Access Request Analysis job was run for the request, an entry tells you so.

  • Select Conflicting Roles to see a list of roles that would conflict with the requested role if the request were approved. The entry for each conflicting role includes a description. A long description may be truncated, but you can hover over it to see it in full. Or, if no access controls were evaluated active when the Advanced Access Request Analysis job was run for the request, an entry tells you so.

    Two things to note:

    • Because a control may detect more than one conflict, the number of conflicting roles may (and often does) differ from the number of controls that have found conflicts.

    • It's possible for a requested role to conflict with itself. This is known as an "intrarole" conflict: A role on its own includes access points that an access control defines as conflicting. When this occurs, the requested role appears both in the heading of the tab and in the list of conflicting roles.

  • Select Worker Info to see information about two people. On the left, this view identifies the user for whom the role is requested, and on the right, that user's manager. For each, it displays the first and last name, job title, email address, and telephone number. For the user, the view also displays the legal employer, business unit, and department. All of this information is taken from the user's employee record in Human Capital Management. If a request approver decides to submit this request for review, the manager is the default selection for reviewer.

  • Select Role Briefing to display data that informs the approval decision. (This tab appears only if setup steps have been completed. See Activate Role Briefings for Advanced Access Requests.)

    • A Highlights section presents an AI-generated paragraph that summarizes what the role's privileges enable a user to do. It also presents information relevant to the assignment of the role to the user for whom it's requested. This may include the request's data-security definition, access-conflict data, and numbers of other users assigned the role.

    • A Summary of privileges by functional category section uses AI to define categories into which the role's privileges fit, and to describe what the privileges in each category enable a user to do.

    • A Related data access permissions section documents the data-security definition configured for the role request.

    • A Usage in the organization section reports numbers of users assigned the role that's been requested. Counts include users throughout your organization, users who report directly or indirectly to the manager of the user for whom the role is requested, and users who report directly to that manager.

    • An Access certification history section reports the number of users certified to keep the role this briefing is concerned with, and the number for whom role removal was recommended, in the last 12 months. Certifications are performed in the Access Certifications application.

    • An Inherent risks and incident history section gives the numbers of access risks, both intrarole and across-role, that would result if the role were assigned to the user.

    • A Complete list of privileges section presents a list of all the privileges included in the role this briefing is concerned with.

To close the details drawer, click its deletion (×) icon. To return from a summary page to a dashboard, click the View Dashboard button.